How to install CSF firewall with basic allow and deny configuration on Debian 12

To Install CSF Firewall With Basic Allow And Deny Configuration On Debian 12

Introduction

CSF installation and basic configuration with allow and deny IP is the process of setting up and customizing the ConfigServer Security & Firewall (CSF) software on a server. This involves installing CSF, adjusting its settings, and creating rules to permit or block specific IP addresses from accessing the server, thereby enhancing security and control over network traffic.

Procedure Steps:

Step 1: Check the OS version by using following command.

root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

Step 2: Install the required packages and dependencies for CSF installation by using following command.

root@linuxhelp:~# apt install iptables perl zip unzip libwww-perl libcrypt-ssleay-perl libnet-http-perl libio-socket-ssl-perl ca-certificates
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  iptables libbytes-random-secure-perl libcrypt-random-seed-perl
  libcrypt-ssleay-perl libip6tc2 libmath-random-isaac-perl
  libmath-random-isaac-xs-perl zip
0 upgraded, 8 newly installed, 0 to remove and 57 not upgraded.
Need to get 752 kB of archives.
After this operation, 3,550 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 libip6tc2 amd64 1.8.9-2 [19.4 kB]
Ign:1 http://deb.debian.org/debian bookworm/main amd64 libip6tc2 amd64 1.8.9-2
Setting up zip (3.0-13) ...
Setting up libcrypt-random-seed-perl (0.03-3) ...
Setting up libmath-random-isaac-xs-perl (1.004-3+b1) ...
Setting up iptables (1.8.9-2) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptabl
es (iptables) in auto mode
Setting up libbytes-random-secure-perl (0.29-3) ...
Setting up libcrypt-ssleay-perl (0.73.06-2+b1) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u1) ...

Step 3: Go to following location by using following command.

root@linuxhelp:~# cd /usr/src

Step 4: Download the CSF file from the source by using following command.

root@linuxhelp:/usr/src# wget https://download.configserver.com/csf.tgz
--2023-11-07 07:59:53--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2288991 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz             100%[===================>]   2.18M  2.01MB/s    in 1.1s    

2023-11-07 07:59:55 (2.01 MB/s) - ‘csf.tgz’ saved [2288991/2288991]

Step 5: Extract the CSF file by using following command.

root@linuxhelp:/usr/src# tar -xvzf csf.tgz
csf/
csf/csf.uidignore
csf/csf.vesta.conf
csf/csf.vesta.ignore
csf/csfajaxtail.js
csf/csftest.pl
csf/csget.pl
csf/exploitalert.tx
csf/uidscan.txt
csf/uninstall.cwp.sh
csf/uninstall.cyberpanel.sh
csf/uninstall.directadmin.sh
csf/uninstall.generic.sh
csf/uninstall.interworx.sh
csf/uninstall.sh
csf/uninstall.vesta.sh
csf/upgrade.txt
csf/usertracking.txt
csf/version.txt
csf/watchalert.txt
csf/webminalert.txt
csf/x-arf.txt

Step 6: Go to inside of the CSF directory by using following command.

root@linuxhelp:/usr/src# cd csf

Step 7: Longlist the files by using following command.

root@linuxhelp:/usr/src/csf# ls -la
total 2620
drwxr-xr-x 20 root root   4096 Oct  2 16:43 .
drwxr-xr-x  3 root root   4096 Nov  7 08:00 ..
-rw-r--r--  1 root root    124 Feb  1  2013 accounttracking.txt
-rw-r--r--  1 root root    181 Feb  1  2013 alert.txt
-rw-r--r--  1 root root   1028 Feb 29  2020 apache.https.txt
-rw-r--r--  1 root root    770 Feb 29  2020 apache.http.txt
-rw-r--r--  1 root root      0 Feb 29  2020 apache.main.txt
-rwxr-xr-x  1 root root    976 Aug 11  2019 apf_stub.pl
-rwxr-xr-x  1 root root   1074 May 30  2020 install.sh
-rw-r--r--  1 root root    129 Feb  1  2013 watchalert.txt
drwxr-xr-x  3 root root   4096 Apr 17  2023 webmin
-rw-r--r--  1 root root    165 Mar  3  2022 webminalert.txt
-rw-r--r--  1 root root   1225 Aug 12  2019 x-arf.txt
Step 8: Install the CSF running script file by using following command.


root@linuxhelp:/usr/src/csf# sh install.sh

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Configuration modified to use iptables-nft
Configuration modified to use ip6tables-nft
Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
...Perl modules OK
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /lib/systemd/system/lfd.service.
Failed to disable unit: Unit file firewalld.service does not exist.
Failed to stop firewalld.service: Unit firewalld.service not loaded.
Unit firewalld.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

Step 9: Check the IP tables modules by using following command.

root@linuxhelp:/usr/src/csf# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

Step 10: Check the CSF version by using following command.

root@linuxhelp:/usr/src/csf# csf -v
csf: v14.20 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Step 11: Go to following location by using following command.

root@linuxhelp:/usr/src/csf# cd /etc/csf/

Step 12: Edit the configuration file to make basic configuration by using following command.

root@linuxhelp:/etc/csf# vim csf.conf
###############################################################################
# SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"

Step 13: Reload and Apply the changes by using following command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
LOCALOUTPUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-11-07 08:04:46 IST; 12ms ago
    Process: 8182 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 8195 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.5M
        CPU: 378ms
     CGroup: /system.slice/lfd.service
             └─8195 "lfd - starting"

Nov 07 08:04:46 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 07 08:04:46 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 14: Start the CSF firewall by using following command.

root@linuxhelp:/etc/csf# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
LOCALOUTPUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 15: Enable the CSF firewall by using following command.

root@linuxhelp:/etc/csf# csf -e
csf and lfd are not disabled!

Step 16: Deny the IP address by using following command.

root@linuxhelp:/etc/csf# csf -d 192.168.6.102
Adding 192.168.6.102 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.102  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.102

Step 17: Open the following file to check denied IP address by using following command.

root@linuxhelp:/etc/csf# vim csf.deny
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
#
192.168.6.102 # Manually denied: 192.168.6.102 (-) - Thu Nov  9 10:09:51 2023

Step 18: Check the denied IP address connection by using ping command.

root@linuxhelp:/etc/csf# ping 192.168.6.102
PING 192.168.6.102 (192.168.6.102) 56(84) bytes of data.
From 192.168.6.131 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.6.131 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.6.131 icmp_seq=3 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.6.131 icmp_seq=4 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.6.102 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3060ms

Step 19: Allow the IP address by using following command.

root@linuxhelp:/etc/csf# csf -a 192.168.6.102
Removing 192.168.6.102 from csf.deny...
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.102  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.102  
Adding 192.168.6.102 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.102  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.102  

Step 20: Open the following file to check allowed IP address by using following command.

root@linuxhelp:/etc/csf#  vim csf.allow
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
192.168.6.102 # Manually allowed: 192.168.6.102 (-) - Tue Nov  7 08:08:38 2023

Step 20: Check the allowed IP address connection by using ping command.

root@linuxhelp:/etc/csf# ping 192.168.6.102
PING 192.168.6.102 (192.168.6.102) 56(84) bytes of data.
64 bytes from 192.168.6.102: icmp_seq=1 ttl=128 time=0.654 ms
64 bytes from 192.168.6.102: icmp_seq=2 ttl=128 time=1.21 ms
64 bytes from 192.168.6.102: icmp_seq=3 ttl=128 time=1.31 ms
^C
--- 192.168.6.102 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.654/1.059/1.310/0.289 ms

Step 21: Check status of csf and lfd services by using following command.

root@linuxhelp:/etc/csf# systemctl status csf lfd
○ csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)
     Active: inactive (dead)

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-11-07 08:05:57 IST; 6min ago
    Process: 8558 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 8571 (lfd - sleeping)
      Tasks: 1 (limit: 3408)
     Memory: 28.0M
        CPU: 4.429s
     CGroup: /system.slice/lfd.service
             └─8571 "lfd - sleeping"

Nov 07 08:05:57 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firew>
Nov 07 08:05:57 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewa>

Step 22: If not active start the CSF and IFD services by using following command.

root@linuxhelp:/etc/csf# systemctl start csf lfd

Step 23: Again check status of CSF and IFD services by using following command.

root@linuxhelp:/etc/csf# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)
     Active: active (exited) since Tue 2023-11-07 08:12:37 IST; 8s ago
    Process: 8800 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCE>
   Main PID: 8800 (code=exited, status=0/SUCCESS)
        CPU: 1.351s

Nov 07 08:12:37 linuxhelp csf[8800]: ACCEPT  all opt -- in * out lo  ::/0  -> :>
Nov 07 08:12:37 linuxhelp csf[8800]: LOGDROPOUT  all opt -- in * out !lo  ::/0 >
Nov 07 08:12:37 linuxhelp csf[8800]: LOGDROPIN  all opt -- in !lo out *  ::/0  >
Nov 07 08:12:37 linuxhelp csf[8800]: csf: FASTSTART loading DNS (IPv4)
Nov 07 08:12:37 linuxhelp csf[8800]: csf: FASTSTART loading DNS (IPv6)
Nov 07 08:12:37 linuxhelp csf[8800]: LOCALOUTPUT  all opt -- in * out !lo  0.0.>
Nov 07 08:12:37 linuxhelp csf[8800]: LOCALINPUT  all opt -- in !lo out *  0.0.0>
Nov 07 08:12:37 linuxhelp csf[8800]: LOCALOUTPUT  all opt -- in * out !lo  ::/0>
Nov 07 08:12:37 linuxhelp csf[8800]: LOCALINPUT  all opt -- in !lo out *  ::/0 >
Nov 07 08:12:37 linuxhelp systemd[1]: Finished csf.service - ConfigServer Firew>

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-11-07 08:05:57 IST; 6min ago
    Process: 8558 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 8571 (lfd - sleeping)

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to install CSF firewall with basic allow and deny configuration on Debian 12. Your feedback is much welcome.